Standards and Compliance
Overview of Grey Matter's compliance with federal laws and standards.
Grey Matter's configuration is guided by several laws, regulations, and standards to meet evolving market directions, security issues, and customer needs. These regulations address the following technical challenges and provide the benefits associated below.
Technical Challenge
Customer Benefit
Mesh distribution, oversight, and control.
Granular audit, policy compliance, and service-level insight.
Access to all user activity.
Grant fully observable audit control for fast forensic analysis.
Security policy enforcement.
Use zero-trust infrastructure for service-to-service mTLS connections, scheduled or on-demand key rotations, and service cryptographic identifiers.
Grey Matter complies with or otherwise supports the following laws and standards.

FISMA

The Federal Information Security Management Act (FISMA) of 2002, enacted as Title III of another law, requires each federal agency to develop, document, and implement a program to provide information security to all information systems supporting that agency. It mandates FIPS 200 (basic security requirements) and uses NIST Special Publication 800-53 controls to evaluate information systems.
The system security plans must follow NIST SP 800-18. FISMA assigns specific responsibilities to certain federal agencies to follow up and monitor compliance.

GDPR

At its heart, the EU General Data Protection Regulation (GDPR) is intended to strengthen the rights of EU citizens to determine how their personal data is processed by organizations operating in the EU and abroad.

Intended Use

Under GDPR, organizations may only use customer-provided data for the purpose in which said customers have provided consent. The GDPR empowers both customers to control their Personal Data, and the regulatory bodies conducting oversight on their behalf. To that end, ensuring and reporting upon data provenance will receive increased scrutiny.

Right to Forget

GDPR also ensures customers have the “right to be forgotten.” By nature of legacy data handling architecture and business process, this may present the most difficult GDPR compliance challenge an enterprise-scale company is likely to face.

Derived Data

Not only does the right to be forgotten include the Personal Data directly related to a particular user, but it may also include data derived from the analysis of that user’s overall profile. For example, algorithmically derived recommender data generated by the analysis of a customer’s purchase history also falls under the GDPR rubric.

HIPAA

The 1996 Health Insurance Portability and Accountability Act. HIPAA establishes the following healthcare PII-related protocols:
    Transfers and continues health insurance coverage for millions of American workers and their families when they change or lose their jobs
    Reduces health care fraud and abuse
    Mandates industry-wide standards for health care information on electronic billing and other processes
    Requires the protection and confidential handling of protected health information

NIST

National Institute of Standards and Technology (NIST) 800-37 offers guidelines for the application of Risk Management Framework (RMF) to information systems. The guideline defines RMF roles, responsibilities, and lifecycle processes for systems and organizations. RMF offers a flexible structured process for security and privacy risk management. This process covers IT categorization; implementation, controls, and assessment; system and common control authorizations; and continuous monitoring.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is an accreditation process for cloud computing and cloud services to ensure security for use by the federal government. It is overseen by CIOs from DoD, DHS, and GSA, which make up the Joint Authorization Board for FedRAMP. Before FedRAMP, individual organizations had to do their own accreditation.
The process consists of a preselected subset of NIST 800-53 controls for Low- and Medium-impact (according to FIPS 199 class) cloud services. Under this process, cloud services are evaluated for impact on existing systems, and then appropriate preselected controls are tested by a third-party accreditation organization to certify the product.

FIPS

FIPS (Federal Information Processing Standards) are standards describing the document processing, encryption algorithms and other information technology standards for use by non-military US Government agencies and the contractors and vendors working with them.
FIPS are developed by National Institute of Standards and Technology (NIST) when required by statute and/or as needed due to compelling federal government cyber security requirements. NIST issues FIPS publications pursuant to the Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106), and the Computer Security Act of 1987 (Public Law 100-235).

Questions

Have a question about standards and compliance? Contact us at [email protected].
The guidance referenced above has not been vetted by third-party security assessors and is provided for informational purposes. Users are solely responsible for the development, implementation, and management of their applications and subscriptions running on their own platform in compliance with applicable laws, regulations, and contractual obligations. Documentation herein is provided “as-is” with no warranty, whether express, implied or statutory, of any kind. Decipher Technology Studios expressly disclaims all warranties for non-infringement, merchantability, or fitness for a particular purpose.
Last modified 4mo ago
Export as PDF
Copy link